The Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH") expanded the protections provided under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") for the privacy and security of certain protected health information ("PHI"). In 2009 and 2010, the Department of Health and Human Services ("HHS") issued proposed and interim final rules (the "Interim Guidance") addressing provisions of HITECH that affect both "Covered Entities" such as certain employer-sponsored group health plans and their service providers with access to PHI ("Business Associates").
HHS finalized the Interim Guidance in early 2013 (the "2013 Final Rules") with a general compliance date of September 23, 2013. The 2013 Final Rules adopt some provisions of the Interim Guidance with minor or no changes, while significantly revising others. Therefore, even Covered Entities and Business Associates who have sought to comply with the Interim Guidance may want to review their practices in light of the 2013 Final Rules. A more thorough review may be appropriate for Covered Entities and Business Associates who are less certain regarding the status of their existing compliance efforts.
In this client alert, we provide a summary of key provisions of the 2013 Final Rules.
Vendors and Subcontractors
In general terms, a Business Associate is a person (including an entity) who performs functions or activities on behalf of, or certain services for, a Covered Entity that involve the use or disclosure of PHI. Pursuant to HITECH, the 2013 Final Rules now specifically include as Business Associates vendors such as providers of certain data transmission or storage services who require routine or more than random access to PHI. The 2013 Final Rules also specifically include as Business Associates subcontractors of a Business Associate who create, receive, maintain or transmit PHI on behalf of the Business Associate. Both Covered Entities and Business Associates may wish to review their service provider relationships in light of the 2013 Final Rules in order to have HIPAA-compliant contracts ("Business Associate Agreements") in place with their Business Associates by the compliance date.
Direct Liability and Business Associates
HIPAA requires Covered Entities and Business Associates to protect the privacy and the security of PHI (the "Privacy Rule" and the "Security Rule," respectively). Prior to HITECH, a Business Associate that failed to provide the required protections had contractual liability through the Covered Entity's enforcement of the terms of the Business Associate Agreement. As a result of HITECH and the 2013 Final Rules, HHS may now also take direct action against the Business Associate for many Privacy Rule and Security Rule violations. Together with a new penalty structure, this direct liability significantly increases the potential exposure of Business Associates. It also requires memorialization in Business Associate Agreements which may need to be revised to include the specific provisions listed in the 2013 Final Rules. (Certain existing Business Associate Agreements may qualify for an extended compliance deadline of September 23, 2014.)
Covered Entities and Business Associates must notify certain parties if PHI is acquired, used, accessed, or disclosed in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI (a "breach"). Under the 2013 Final Rules, a breach is generally presumed to occur unless a risk assessment by the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised. In this regard, the 2013 Final Rules depart from the Interim Guidance which did not provide for a presumption of breach but instead required determination of whether there was a significant risk of financial, reputational or other harm to the individual as a result of the impermissible use or disclosure. All Covered Entities and Business Associates may therefore need to familiarize themselves with this new standard for determining breach.
Notice of Privacy Practices
The 2013 Final Rules include new content requirements for the Notice of Privacy Practices ("NPP") which the Privacy Rule requires most Covered Entities to distribute. Some of the new requirements apply to all NPPs, such as a statement that the Covered Entity is required by law to notify affected individuals following a breach of unsecured PHI. Others depend on whether the Covered Entity intends to engage in certain activities such as using or disclosing PHI for underwriting purposes. Because these are considered material changes to the NPP, most Covered Entities must both post a revised NPP on their website and provide a revised NPP in their next annual mailing to participants. Covered Entities should review their NPPs in light of the 2013 Final Rules in order to determine what revisions are required in advance of the September 23, 2013 compliance date.